Blog Published: Jun 22, 2026

SearchLeak: How a Microsoft 365 Copilot Search Link Became a One-Click Data Exfiltration Path

SearchLeak shows how a trusted Microsoft 365 Copilot Enterprise Search URL can turn dangerous when the q parameter is treated as instructions instead of a query. Varonis chained that parameter-to-prompt flaw with a streaming HTML rendering race and a Bing image SSRF path, so one click could move user-accessible Microsoft 365 data into an attacker-controlled URL. Defenders need pre-model query validation, render-before-network sanitization, and data-flow policy on outbound fetches.

Prompt InjectionData ExfiltrationSink EnforcementAI CopilotsEnterprise AI
8 applicable AIDEFEND defenses
Source: SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon 
Authors: Dolev Taler, Varonis Threat Labs
Original article: Jun 15, 2026

Threat Analysis

  • Step 1: hide instructions in the search URL. The attacker puts prompt-like text in the Copilot Search q parameter. The link still points to Microsoft, but the query asks Copilot to find internal data and place a value inside an image URL.
  • Step 2: run the query with the victim's access. After the victim clicks, Copilot treats q as instructions and searches Microsoft 365 content the user can reach, including mailbox, calendar, SharePoint, OneDrive, and indexed organizational files.
  • Step 3: exploit streaming output. Copilot streams an HTML img tag before final sanitization turns the answer into inert text. The browser sees the tag and sends the image request before the renderer catches up.
  • Step 4: relay through Bing. CSP blocks direct attacker domains, but Bing image-search endpoints are allowed. Bing then performs the server-side fetch to the attacker URL, with the selected Microsoft 365 data carried in the path. Microsoft remediated the issue as CVE-2026-42824.

Applicable AIDEFEND Defenses (8)

AID-H-019.005
Value-Level Capability Metadata & Data Flow Sink Enforcement
Very High
This is the most direct control for the actual exfiltration path. Copilot may be allowed to retrieve user-accessible Microsoft 365 data, but those values should not be allowed to flow into image URLs, preview services, or any outbound network sink unless policy explicitly permits that value and destination together.
AID-H-006.002
Output Content Sanitization & Validation
Very High
SearchLeak depends on raw HTML becoming live browser behavior while the answer is still streaming. Model output should be escaped, sanitized, and URL-validated before it reaches the DOM, Markdown renderer, or any remote-media loader. Sanitizing only the completed answer is too late if the browser already fired the image request.
AID-H-020.001
URL Normalization & Allowlist Filtering
Very High
The Bing hop shows why a first-party allowlist is not enough. Safe fetch controls should canonicalize generated URLs, inspect the final target of preview and image-fetch parameters, and block relay patterns where an allowed service can be made to request an attacker-controlled URL.
AID-H-002.002
Inference-Time Prompt & Input Validation
High
The q parameter should be treated as untrusted model input before Copilot dispatch. A practical edge gate would canonicalize the value, enforce size and encoding rules, and reject prompt-like instructions such as searching sensitive data and placing it into an image URL.
AID-H-017
System Prompt Hardening
High
Even when a search query is valid, the model needs an explicit instruction hierarchy that keeps URL parameters in a data-only role. The search string can describe what to find, but it should not be able to redefine response behavior, suppress warnings, or turn the answer into an outbound request generator.
AID-D-001.004
LLM Guardrail for Intent/Privilege Escalation
High
A fail-closed guardrail can catch the intent shift in the crafted query: it is no longer asking for search results, it is asking Copilot to locate internal data and encode it into a network request. This is useful, but it should support deterministic input and data-flow controls rather than replace them.
AID-D-003.002
Sensitive Information & Data Leakage Detection
High
The output layer should scan for sensitive values before display, logging, or URL conversion. MFA codes, email subjects, meeting details, file names, or organization-specific identifiers embedded inside a URL path are strong leakage signals, especially when paired with a generated image tag.
AID-D-005.002
Security Monitoring & Alerting for AI
Medium
Monitoring does not stop the click, but it gives defenders a way to find attempted exploitation and regression failures. Useful detections include long encoded Copilot Search q parameters, prompt-like search text, streamed image tags, Bing image-search requests, and attacker-shaped final URLs.

What Defenders Should Do Now

  • Verify Microsoft's remediation for CVE-2026-42824 and keep tracking service advisories, release notes, and any tenant-specific security guidance for Microsoft 365 Copilot.
  • Limit Copilot's data access scope so it does not read unnecessary high-sensitivity data. Review SharePoint, OneDrive, mailbox, calendar, and external-sharing permissions; remove broad access; and label or protect high-sensitivity data with DLP where possible.
  • Add detections in the tools the enterprise actually controls, such as Defender, Purview, proxy, CASB, or SIEM. Useful signals include suspicious Copilot Search links, long or encoded q parameters, Bing image-search requests, and internal-looking values inside outbound URL paths.
  • Treat Copilot Search links as a phishing and data-exfiltration surface. Give users a simple reporting path for unexpected Copilot links, especially links that arrive through email or chat and contain unusually long query strings.
  • Use this case in AI product security reviews. Ask Microsoft or any copilot provider how it validates search parameters, sanitizes streaming output before network requests, inspects final URL destinations, prevents SSRF relay paths, and blocks sensitive values from flowing into external URLs.

Conclusion

SearchLeak matters because it turns several small product behaviors into one working attack chain: a search parameter becomes an instruction, streamed model output becomes browser behavior, and an allowlisted Microsoft service becomes the final network relay. The lesson is to enforce boundaries where data changes role: before search text becomes model input, before model output becomes browser activity, and before Microsoft 365 data can enter an external URL.

Many of the strongest controls must live inside the product. Enterprise customers still have work to do: verify remediation, limit Copilot's data access scope, monitor suspicious outbound connection behavior, and use this case as a concrete requirement in AI product security reviews.